Spring Security CORS:来源已被 CORS 策略阻止
Posted
技术标签:
【中文标题】Spring Security CORS:来源已被 CORS 策略阻止【英文标题】:Spring Security CORS: Origin has been blocked by CORS Policy 【发布时间】:2020-08-29 00:20:10 【问题描述】:我在 Angular 项目中第一次使用 Spring Boot,在添加 Spring 安全依赖项之前一切正常
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
现在我在客户端收到此错误:
Access to XMLHttpRequest at 'http://localhost:8080/api/v1/login' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
我尝试按照文档的建议更改配置,所以我添加了类
src/main/java/com/example/securingweb/WebSecurityConfig.java
@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer
@Override
public void addCorsMappings(CorsRegistry registry)
registry.addMapping("/**");
我的控制器中也有这个:
@CrossOrigin(origins = "http://localhost:4200")
【问题讨论】:
【参考方案1】:由于您添加了 Spring 安全依赖项,因此 Spring 将启用 Basic Auth,这将验证您的每个请求。这也启用了 CORS(跨源请求共享)。尽管您为每个不足以禁用 CORS 的请求添加了 CrossOrigin。
更多关于CORS的详情
所以要么您需要发送将在您的控制台上打印的 Spring Security 生成的令牌
或
您需要配置 Spring 安全配置类,该类将验证您的身份验证或允许特定的 url。
更多关于 Spring Security here
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import java.util.Arrays;
@Configuration
public class CorsConfig
@Bean
public CorsFilter corsFilter()
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.setAllowedHeaders(Arrays.asList("*"));
config.setAllowedOrigins(Arrays.asList("*"));
config.setAllowedMethods(Arrays.asList("GET","POST"));
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.filter.CorsFilter;
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
@Bean
public PasswordEncoder passwordEncoder()
return new BCryptPasswordEncoder();
@Override
public void configure(WebSecurity web)
web.ignoring()
.antMatchers(
"/*.html",
"/favicon.ico",
"/**/*.html",
"/**/*.css",
"/**/*.js",
"/h2-console/**"
);
@Override
public void configure(HttpSecurity httpSecurity) throws Exception
httpSecurity
.cors()
.and()
.csrf()
.disable()
.exceptionHandling()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/offerTransactionCall").permitAll()
.anyRequest().authenticated();
【讨论】:
添加了这两个类现在我只有一个:POST localhost:8080/api/v1/login 403 错误。没有 CORS 当您尝试在网络浏览器中打开的网页(或其他资源)是您无权访问的资源时,会发生 403 禁止错误。它被称为 403 错误,因为这是 Web 服务器用来描述这种错误的 HTTP 状态代码。 由于您现在已经配置了 Spring 安全配置,因此您需要定义角色,同时需要应用于特定的端点。所以你需要了解角色将如何在这里使用 看看***.com/questions/6357579/…以上是关于Spring Security CORS:来源已被 CORS 策略阻止的主要内容,如果未能解决你的问题,请参考以下文章
来源 'http://localhost:4200' 已被 CORS 策略阻止
如何修复“评估已被 CORS 政策阻止:反应中没有“访问控制允许来源”